retrieve_pin: refuse to retrieve PIN from URI more than one time

That is, prevent re-using a static PIN if it has already been
known to be wrong. Introduced tests of that behavior.

Resolves #425

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index e1aa64f191529745d18a6fa06b7013696c4f408b..e4d14f9f4ba358899f02ff3097753fe8f251bdf4 100644 (file)
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -2602,6 +2602,11 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info,
        /* First check for pin-value field */
        pinfile = p11_kit_uri_get_pin_value(info);
        if (pinfile != NULL) {
+               if (attempts > 0) {
+                       _gnutls_debug_log("p11: refusing more than a single attempts with pin-value\n");
+                       return gnutls_assert_val(GNUTLS_E_PKCS11_PIN_ERROR);
+               }
+
                _gnutls_debug_log("p11: Using pin-value to retrieve PIN\n");
                *pin = p11_kit_pin_new_for_string(pinfile);
                if (*pin != NULL)
@@ -2610,6 +2615,11 @@ retrieve_pin(struct pin_info_st *pin_info, struct p11_kit_uri *info,
                /* Check if a pinfile is specified, and use that if possible */
                pinfile = p11_kit_uri_get_pin_source(info);
                if (pinfile != NULL) {
+                       if (attempts > 0) {
+                               _gnutls_debug_log("p11: refusing more than a single attempts with pin-source\n");
+                               return gnutls_assert_val(GNUTLS_E_PKCS11_PIN_ERROR);
+                       }
+
                        _gnutls_debug_log("p11: Using pin-source to retrieve PIN\n");
                        ret =
                            retrieve_pin_from_source(pinfile, token_info, attempts,

diff --git a/tests/pkcs11/pkcs11-import-with-pin.c b/tests/pkcs11/pkcs11-import-with-pin.c
index 60cb6797239c500b96441524fdf99c12d8d7fbd5..4a5efd25899892e1c02d5fac876471cb66f3bdfa 100644 (file)
--- a/tests/pkcs11/pkcs11-import-with-pin.c
+++ b/tests/pkcs11/pkcs11-import-with-pin.c
@@ -153,6 +153,16 @@ void doit(void)
        assert(gnutls_privkey_init(&pkey) == 0);
 
        /* Test 1
+        * Try importing with wrong pin-value */
+       ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value=XXXX");
+       if (ret != GNUTLS_E_PKCS11_PIN_ERROR) {
+               fprintf(stderr, "unexpected error in %d: %s\n", __LINE__, gnutls_strerror(ret));
+               exit(1);
+       }
+       gnutls_privkey_deinit(pkey);
+       assert(gnutls_privkey_init(&pkey) == 0);
+
+       /* Test 2
         * Try importing with pin-value */
        ret = gnutls_privkey_import_pkcs11_url(pkey, SOFTHSM_URL";object=cert;object-type=private;pin-value="PIN);
        if (ret < 0) {
@@ -165,13 +175,26 @@ void doit(void)
        gnutls_free(sig.data);
        gnutls_privkey_deinit(pkey);
 
-       /* Test 2
-        * Try importing with pin-source */
+       /* Test 3
+        * Try importing with wrong pin-source */
        track_temp_files();
        get_tmpname(file);
 
-       write_pin(file, PIN);
+       write_pin(file, "XXXX");
+
+       assert(gnutls_privkey_init(&pkey) == 0);
+       snprintf(buf, sizeof(buf), "%s;object=cert;object-type=private;pin-source=%s", SOFTHSM_URL, file);
+       ret = gnutls_privkey_import_pkcs11_url(pkey, buf);
+       if (ret != GNUTLS_E_PKCS11_PIN_ERROR) {
+               fprintf(stderr, "error in %d: %s\n", __LINE__, gnutls_strerror(ret));
+               exit(1);
+       }
+
+       gnutls_privkey_deinit(pkey);
 
+       /* Test 4
+        * Try importing with pin-source */
+       write_pin(file, PIN);
 
        assert(gnutls_privkey_init(&pkey) == 0);
        snprintf(buf, sizeof(buf), "%s;object=cert;object-type=private;pin-source=%s", SOFTHSM_URL, file);